[pocketarc]

They don't need to grandfather anything - it's similar to the GDPR in the sense that you can give companies time to prepare, and then it comes into force.

Prepare the law, give companies 3-5 years to prepare, and after that, anything is fair game. If your company is accepting plaintext passwords there should be something that makes you say "oh we have 3 years to change this, let's hire someone to fix this". If a system is live and in use, it -should- follow some -minimal- standards for security.

That doesn't preclude your data breach fine idea - that'd be useful for more advanced security situations that can't be predicted (as you said, based on expert opinions).

But something as basic as "you're not allowed to pretend it's 2FA if it's just password + questions" or "you're not allowed to store passwords in plaintext", that sort of thing should be the minimal baseline that companies should have to adhere to, surely.